The United States government is alerting organizations about the Royal ransomware operation. The Federal Bureau of Investigation (FBI) and the Cybersecurity & Infrastructure Security Agency (CISA) said in a joint advisory that the Royal ransomware gang poses an increasing threat to critical infrastructure of numerous sectors in the U.S.
The Royal ransomware group has been targeting different sectors across the country and abroad. Among its victims are health care, education, communications, and manufacturing organizations.
How the Royal Ransomware Gang Operates
According to the FBI and CISA, Royal actors use phishing links to access an organization’s
network. These links carry a malware downloader. The cyber threat actors then disable the
network’s antivirus software, extract large amounts of data, and encrypt systems.
Other than phishing links, the Royal ransomware gang also uses these other tools to get into an organization’s network, including:
Remote desktop protocol (RDP)
Initial access brokers
Exploitation of public-facing applications
Royal Ransomware Made Rounds Since 2022
The Royal ransomware gang first made rounds in early 2022. It used third-party ransomware like Zeon when it started. But it has since created its own ransomware and has been using it since September. It also uses other malicious tools to gather information and keep victims from restoring their data.
In December, the U.S. Department of Health and Human Services announced that Royal
ransomware targeted the health care sector. Royal’s leak page on the dark web listed two health care service providers as victims.
Royal actors had also made ransom demands in Bitcoin. These demands range between $1
million and $11 million. The ransom notes do not state ransom amounts and payment details. But these contain instructions on how to contact the group.
Royal Gang Is a Group of Experienced Cybercriminals
Security experts believe that experienced cybercriminals make up the Royal ransomware gang. These cyber threat actors have worked together in previous operations.
Cyber security experts noted similarities between the Royal operation and Conti – a Russian hacking enterprise. Conti disbanded in June 2022, giving rise to several cybercriminal groups. These groups applied the same phishing technique that the Royal gang now uses to deploy its ransomware.
Organizations Should Have a Data Recovery Plan in Place
The U.S. government advises businesses and organizations to have a data recovery plan in place. This plan ensures that organizations won’t lose their data in case Royal ransomware infiltrates their systems. Additionally, organizations can continue their operations in case of a ransomware attack.
A recovery plan includes:
maintaining multiple backups of data
implementing multi-factor authentication
securing accounts with unique and strong passwords
using monitoring tools to detect suspicious activity in their network
implementing network segmentation
updating all software and operating systems
auditing all accounts
disabling unused services
The Bottom Line: Businesses Should Be Ready for Ransomware Attacks
Businesses and organizations could lose all their data, including customers’ personal
information, from a ransomware attack. And this could incapacitate their business or at least disrupt operations. Their customers would also lose trust and confidence in them. As such, businesses and organizations should prepare themselves for possible cyberattacks. It is not enough to put measures in place to prevent it. They should also have a contingency plan in case they fall victim to a cybercrime.